Importing Ollydbg Addresses into IDA

 Sometime it can be extremely useful to dump a section of memory in Ollydbg, open the dump up in IDA, press C and then start cross referencing the two. Typically in this scenario, I will be writing my comments in IDA while stepping through the code in Ollydbg. The main issue with this approach is I will lose the API addresses in IDA. I could try to dump the executable, then try to rebuild the import table but this doesn't work when it's just raw code. Using tools like Imprec only works with portable executable file dumps. So how can we dump a block of memory and then have a somewhat clean view of the code in IDA?

First we will need to dump the memory in Ollydbg. We can do this by right click on code, Backup, Save data to file, then save it. The next step we will need the address of the import table. Once we have the import table address we will need to view it in Ollydbg's dump window. The best way to view the import table is using Ollydbg's Long Address view.


Now we will need to select all the API names, copy them to the clipboard, and save them to a text file. This will give us an output as seen below.

0087E000  7C865B1F  kernel32.CreateToolhelp32Snapshot
0087E004  7C80981E  kernel32.InterlockedExchange
0087E008  7C809A1D  kernel32.LocalAlloc
0087E00C  7C8017E9  kernel32.GetSystemTimeAsFileTime
0087E010  7C810E17  kernel32.WriteFile
0087E014  7C80BC06  kernel32.OpenFileMappingA
0087E018  7C81CAFA  kernel32.ExitProcess
0087E01C  7C82F863  kernel32.CopyFileW
0087E020  7C810B07  kernel32.GetFileSize
0087E024  7C8094EE  kernel32.CreateFileMappingA
0087E028  7C80B995  kernel32.MapViewOfFile
0087E02C  7C810FC2  kernel32.lstrcatW
0087E030  7C830779  kernel32.GetTempPathW
0087E034  7C80B55F  kernel32.GetModuleFileNameA
0087E038  7C80AEDB  kernel32.LoadLibraryW
0087E03C  7C8099BF  kernel32.LocalFree
0087E040  7C90FE01  ntdll.RtlGetLastWin32Error 

Now we will need to open up the memory dump in IDA. The memory image base will need to be changed to the start of the allocated memory. In the example above the base address was 0x00870000. To do this in IDA click on Edit, Segments, Rebase program..., then add the address to the value field. Odds are when IDA loaded the file up it identified code. If not you will need to find the entry point or an address that we know is code and press 'c'. If we are lucky IDA will have found some jmps to some dwords.

Cool. Now we just need to rename the dwords to the API name that we exported from Ollydbg. This is pretty easy using Python and IDA. We just need to open up a dialogue box to import the exported APIs from Ollydbg, parse the file for the addresses and the names, then rename the address. Once completed we will have something that looks like this.

Update
An anonymous user left a helpful comment "if you drop the DLL prefix and run auto-analysis once more, you even get parameter propagation, granted you have the proper type library loaded.". I have modified the original code and image to reflect their helpful comment. To reanalyze in IDA right click on the bottom left hand corner of IDA and the choose reanalyze the program.


Code
from idaapi import * 
import idautils
import idc

class OLLYDBG_ADDR_TO_IDA:
    def __init__(self):
        self.fileName = AskFile(0, "*.*", 'Ollydbg Address Exported')
        self.content = []
        self.getFile()
        self.renameAddr()

    def getFile(self):
        try:
            self.content = open(self.fileName, 'r').readlines()
        except:
            return 
    
    def renameAddr(self):
        for addr in self.content:
            list_addr_name = addr.split()
            if len(list_addr_name) != 3: 
                continue
            api_addr = int(list_addr_name[0],16)
            api_name = list_addr_name[2].split('.')[1]
            MakeNameEx(api_addr, api_name, SN_NOWARN)

OLLYDBG_ADDR_TO_IDA()

If you didn't know IDAScope has been released. DOWNLOAD

4 comments:

  1. And if you drop the DLL prefix and run auto-analysis once more, you even get parameter propagation, granted you have the proper type library loaded.

    ReplyDelete
    Replies
    1. Awesome, thank you for the tip. I'll update the post with a second modified version in the next couple of hours.

      Delete
    2. Updated to reflect your comment. Thanks.

      Delete
  2. This works great. You just saved me a bunch of time.

    Thanks Alex!

    ReplyDelete